[tor-talk] onion routing MITM

Seth David Schoen schoen at eff.org
Tue Jan 26 19:30:27 UTC 2016


populationsteamsir at tutanota.com writes:

> The question is: From a user perspective, http://3g2upl4pq6kufc4m.onion just 
> looks like random characters. (And in fact, if it's a hash of a public key, 
> which was originally randomly generated, then indeed these *are* random 
> characters). You obviously don't want to memorize a domain name such as this, 
> and as a human, you're very bad at recognizing the difference between 
> http://3g2upl4pq6kufc4m.onion and http://xmh57jrzrnw6insl.onion

In the Zooko's Triangle sense, Tor hidden service names are secure and
decentralized, but not human-meaningful (or human-memorable).

https://en.wikipedia.org/wiki/Zooko's_triangle

That is to say that Tor hasn't tried to solve the problem you mention
at all.  The answer seems to be that you're supposed to get the names
somewhere else and store them in something other than your human memory.
This is in common with a few other designs that use representations
of crypto keys directly (for example, PGP and Bitcoin) and where
someone could try to trick you into using a key that isn't really the
right one.  In the PGP example, someone has uploaded a fake key with my
name and e-mail address to the keyservers (several years ago), which has
already fooled a number of people because they couldn't or didn't readily
distinguish my real key from the fake key, both of which are just numbers
that someone on the Internet has claimed are relevant to contacting me.

If you have ideas for making this more convenient, I'm sure they would
be welcome.  Aaron Swartz proposed in 2011 that blockchains and related
systems could solve it by letting people publicly announce claims to
(human-memorable) names in an append-only log.

http://www.aaronsw.com/weblog/squarezooko

There are some implementations of related ideas, like okTurtles, but
none is extremely widely used yet.

> What prevents a person from registering a new .onion site, such as 
> http://laobeqkdrj7bz9pq.onion and then relaying all its traffic to  
> http://3g2upl4pq6kufc4m.onion, and trying to get people to believe that 
> *they* are actually the duckduckgo .onion site?

Indeed, Juha Nurmi described earlier today that people are doing exactly
that right now, probably with some success.

https://lists.torproject.org/pipermail/tor-talk/2016-January/040038.html

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107


More information about the tor-talk mailing list